IETF Logo Mail Archive

Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 30 October 2017 09:10 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A13C313F8D6 for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 02:10:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.319
X-Spam-Level:
X-Spam-Status: No, score=-4.319 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70c08JScTq11 for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 02:10:01 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 888CC13F601 for <dns-privacy@ietf.org>; Mon, 30 Oct 2017 02:10:01 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1509354600; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: authentication-results:x-originating-ip:x-ms-publictraffictype: x-microsoft-exchange-diagnostics:x-ms-exchange-antispam-srfa-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-exchange-antispam-report-test: x-microsoft-antispam-prvs:x-exchange-antispam-report-cfa-test: x-forefront-prvs:x-forefront-antispam-report: received-spf:spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=L 6zar7yhDH++SSlAKy2/uQVySeAk/ijTQJypLlb57D Q=; b=VsNaBi89Ce3JtdnjVOdjjbjprQPksDTZOfIEAtXl0vkA AkUfuZJvk3WzMOXU/dXvmKQWMoeMfnkOQDAdHudV1BUBID3y1n 4EaMjHVQhulM5UM/kD4XecBWQ8JxyAhdu4GHlLlumJ+TlBZWKn AF7hOuFWvb7WpkPT+zH7xLoEQmw=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp id 53aa_4561_b187bce0_68a8_4f68_8dfe_e05f67108552; Mon, 30 Oct 2017 04:10:00 -0500
Received: from DNVEXUSR1N12.corpzone.internalzone.com (10.44.48.85) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 30 Oct 2017 03:09:45 -0600
Received: from DNVEXUSR1N13.corpzone.internalzone.com (10.44.48.86) by DNVEXUSR1N12.corpzone.internalzone.com (10.44.48.85) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 30 Oct 2017 03:09:44 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXUSR1N13.corpzone.internalzone.com (10.44.48.86) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Mon, 30 Oct 2017 03:09:44 -0600
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 30 Oct 2017 03:09:43 -0600
Received: from DM5PR16MB1788.namprd16.prod.outlook.com (10.172.44.144) by DM5PR16MB1787.namprd16.prod.outlook.com (10.172.44.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.6; Mon, 30 Oct 2017 09:09:40 +0000
Received: from DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) by DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) with mapi id 15.20.0178.012; Mon, 30 Oct 2017 09:09:40 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Ben Schwartz <bemasc@google.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
Thread-Index: AQHTT+N/U3oS1xfLdkyJreqW4BxYC6L5bNgAgAKwpGA=
Date: Mon, 30 Oct 2017 09:09:40 +0000
Message-ID: <DM5PR16MB1788102A02C9B188B915258EEA590@DM5PR16MB1788.namprd16.prod.outlook.com>
References: <878tfwey8w.fsf@fifthhorseman.net> <CAHbrMsAQ-9z_5Nicf=RMDCgYf5vS92H9CeRRWUTj-UOYrB-_Mw@mail.gmail.com>
In-Reply-To: <CAHbrMsAQ-9z_5Nicf=RMDCgYf5vS92H9CeRRWUTj-UOYrB-_Mw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1787; 6:e5ysot5EtMG0773w1NMF+IIsxcoMxBht2puB+j/y8KzbrRKqE3f1fUeaRP8HlopFNwgNcxlTdPuzIitzhuSlhTFNwaB12I7R1go18/Sfoxaoz5HylD1IL96EA9Lmj9r+YF/G9Dk43rIQvPfk69Qai+3VpVdtz4UvUCvzFqt4rIC08UX7dlB0ScgxCdNrUDnZ0rQuKbKVZPY0+/C1hdiz9K4FGl/g0pCd0QoMAQCPzfOlbqFJnRKM1OJznQGleouG5VLqapXl5XxkWojeOyqtROT16sdfaUX2G35Fm5jAIfAI9dxvffTzjYYBdbBf9U04cA/woA1UVSSJ2P8p3snfdh55esTeOYYREXhRWskxDMY=; 5:6ykMGywwosREeg2JdMIERh0ziwE9ghytXMaIrnG88E2nBAynYRQKfjMhDqC4PCODGKuurZO57N91asVxvOXXSr59R3N8rRdbgFw9PaD4mK3DausGHWHZkKIAEU48Mdz7aG2XP/m3TWrM0czXXMugeKmVH3eRenYI6KxpQJ5qzEg=; 24:IvLA0ssK2KjMczHjVxYZGaDIzTGuZvwyhefZ5oDAT6iISb3DmQFWw9/eGf9jNB62863qn7HtEYTjf2GZFcUIKgcm71MVxmuRal+dwE0s7gM=; 7:Hm2ToOLZT5nYNDYHalAxwBoXEcMdzU6Vg+m3g6KpLoaDWsT38hhMQe409nRP7750eBdW14vmcYjXJFN4mJyL/+5ZrA+CHt2elgb1tdlSLlPR0LELRs7Yfp+ymGF9bYBbpyr5w9IgYHkpiz1o0vltGfuJ0FF3s9zNVzptqGBlfE5DeGZaIH4W5+13ADrPhLRvwavekf5D5FNZvwEDW7Vi5zG1gBJIl/LjXUSwZa4q/D4CpxtSxM7Kp+9/aagiHcd0
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 8b585bb1-ec69-414a-a47e-08d51f75f3e0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(2017052603238); SRVR:DM5PR16MB1787;
x-ms-traffictypediagnostic: DM5PR16MB1787:
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155)(21532816269658)(211171220733660);
x-microsoft-antispam-prvs: <DM5PR16MB17874A60B5340E686F3BC38BEA590@DM5PR16MB1787.namprd16.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(3231020)(10201501046)(3002001)(93006095)(93001095)(100000703101)(100105400095)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123555025)(20161123560025)(20161123558100)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM5PR16MB1787; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM5PR16MB1787;
x-forefront-prvs: 0476D4AB88
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(32952001)(199003)(189002)(52314003)(24454002)(72206003)(99286003)(81156014)(25786009)(55016002)(229853002)(101416001)(50986999)(81166006)(76176999)(54356999)(80792005)(8676002)(561944003)(2906002)(53936002)(106356001)(230783001)(105586002)(236005)(6306002)(54896002)(9686003)(606006)(74316002)(3280700002)(8936002)(5660300001)(2900100001)(14454004)(3660700001)(77096006)(97736004)(86362001)(66066001)(6506006)(6436002)(110136005)(68736007)(478600001)(19609705001)(7696004)(316002)(966005)(4326008)(6116002)(102836003)(3846002)(790700001)(2950100002)(33656002)(6246003)(53546010)(189998001)(7736002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1787; H:DM5PR16MB1788.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:3; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB1788102A02C9B188B915258EEA590DM5PR16MB1788namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b585bb1-ec69-414a-a47e-08d51f75f3e0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Oct 2017 09:09:40.5076 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1787
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6146> : inlines <6150> : streams <1768836> : uri <2524759>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/J_mB3ulIAnJwscVNMPRife1dZCY>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 09:10:04 -0000

+1, DNSSEC itself is susceptible to active attacks and needs a secure channel to protect from an active attacker.

-Tiru

From: dns-privacy [mailto:dns-privacy-bounces@ietf.org] On Behalf Of Ben Schwartz
Sent: Saturday, October 28, 2017 9:34 PM
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

I agree with DKG's analysis.

Also, as an implementor, I think this requirement would be onerous.  In the software I am modifying, implementing DNS-over-TLS is dramatically easier than adding a validating stub resolver.  I wouldn't be implementing DNS-over-TLS if DNSSEC were mandatory (in either mode).

On Fri, Oct 27, 2017 at 11:40 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net<mailto:dkg@fifthhorseman.net>> wrote:
Hey DPRIVE folks--

Apologies for the delay, and that this message is so long.  I've tried
to reconstruct this discussion around
draft-ietf-dprive-dtls-and-tls-profiles-11 as best i can, and my
analysis follows.  If i've misundertood or misanalyzed something,
please let me know.

Summary
-------

I do not believe that DNSSEC validation is warranted as a mitigation
against an active attacker in the context of an opportunistic metaquery,
regardless of whether the client ultimately intends to follow either the
Strict or Opportunistic profile.

Furthermore, i believe that the proposal in draft-11 of making DNSSEC
validation of metaqueries a MUST for the opportunistic profile is
*actively harmful* to the stated goal of the opportunistic profile
(i.e., "maximum chance of DNS service").

I like the reorganization and re-wording of the "Usage Profiles"
section in draft-11, and think we should keep it.  But i think the
other changes between draft-10 and draft-11 are unwarranted and should
be reverted.


Analysis
--------

AIUI, the scenario under discussion is:

 * A DNS client (following either the strict or the opportunistic
   profile)
 * using opportunistic meta-queries to find the desired DNS resolver
 * in the face of an active attacker

We already know that an attacker capable of filtering the client's
*outbound* traffic can cause a denial of service (for clients following
the strict profile) or loss of privacy (for clients following the
opportunistic profile, because they fall back to cleartext) simply by
dropping outbound connections to *anywhere* TCP port 853.

Likewise, We also know that an attacker capable of filtering the
client's *inbound* traffic can cause a denial of service (strict
clients) or loss of privacy (opportunistic clients) simply by dropping
inbound connections from any TCP port 853.

But the introduction of an opportunistically-secured meta-query
introduces a DoS attack (strict clients) or loss of privacy
(opportunistic clients) that can be achieved by a weaker attacker.
Since we're talking about an attacker that is *not* in control of the
network, the following analysis assumes that the the network provides
"legitimate" DHCP service, which is supposed to point the client to a
"legitimate" standard DNS resolver (which may or may not be
privacy-enabled, but is sufficient for answering an opportunistic
metaquery correctly).

In particular, the attacker needs only one of the following two
capabilities:

  (a) Controlling the "legitimate" DHCP server, or detecting the
      client's DHCP request and racing the "legitimate" DHCP server to
      return a DHCP response (this allows the attacker to set the
      resolver used by the client for its opportunistic metaquery), or

  (b) Controlling the "legitimate" DNS resolver, or detecting the
      client's opportunistic metaquery and racing the "legitimate" DNS
      resolver to provide a malicious DNS response.

In either case, the result is that the attacker has poisoned the
client's meta-cache -- its best guess at the location of the desired
privacy-enabled DNS resolver.  A poisoned meta-cache results in a DoS
for clients in "Strict" mode because the attacker's answering DNS
resolver at the learned address cannot authenticate.  A poisoned
meta-cache results in a loss of privacy for clients in "Opportunistic"
mode because they will connect without authentication to the attacker's
answering DNS resolver.

Have i got that right?

DNSSEC validation does not mitigate this attack.

Regardless of the profile, the client has four options when it
discovers that the response to the metadata query was forged (or at
any rate is not validatable).  It can:

  (0) ignore the response, resulting in a DoS regardless of profile,
      or

  (1) ignore the validation failure, and try connecting to the
      proposed address anyway (resulting in a DoS for strict clients
      because the server does not validate, or a loss of privacy for
      opportunistic clients), or

  (2) retry the metaquery (in the hopes that their attacker is in class
      "b" and not in full control of the "legitimate" DNS resolver) and
      maybe the legitimate DNS response will come in, or

  (3) abort the network connection and retry DHCP (in the hopes that the
      attacker is in class "a" and not in full control of the
      "legitimate" DHCP server) and maybe the legitimate DHCP response
      will come in.

Choice 0 is the same outcome as the non-DNSSEC-validating scenario for
strict clients (no mitigation), and *strictly worse* for opportunistic
clients, because it converts a loss of privacy to a DoS, which is in
direct opposition to the stated goal of the opportunistic profile.

Choice 1 is exactly the same outcome as the non-DNSSEC-validating
scenario for all clients. (no mitigation)

Choices 2 and 3 are interesting thought experiments, but are not
directly contemplated in the draft (and i think they would be a
distraction from the goal of the draft -- this draft is not "how to do
staged opportunistic fallback in the face of an arbitrarily corrupt
network"), so i won't go into them here.

At best, DNSSEC validation of the metaquery could be used to provide
additional reporting information to any client-internal
auditing/reporting or other defensive measures; but again, this draft
should not go into those in any detail.

Background
----------

To be clear about where this analysis is coming from, my rule of thumb
for these two profiles is:

 * Strict

   Do whatever you can to connect to the preferred privacy-enabled
   resolver, but don't actually send queries unless you're sure you
   have authenticated the server.

 * Opportunistic

   Do whatever you can to connect to the preferred privacy-enabled
   resolver, but go ahead and send your queries to it anyway, even if
   it cannot be authenticated.

Note that both modes can report (e.g., to a local system
auditor/monitor/policy-agent) any failures or errors they encounter.
But Strict mode will fail closed (DoS), and Opportunistic mode will
fail open (loss of privacy).

To be clear: the client is *locally configured* to be either in Strict
or Opportunistic mode.  Orthogonally, it is also locally configured with
some server authentication information.

If its locally-configured server authentication information is of the
form "ADN" only, then -- even when configured in Strict mode -- it
will do an Opportunistic DNS resolution of the address of the desired
resolver.  This is the "opportunistic meta-query".

Many moons ago, ekr wrote:

> I.e., if you determine whether to adopt a Strict policy based on
> Opportunistic queries, then you are back to the active attack
> setting.

But the client is *not* determining whether to adopt a Strict policy
based on the opportunistic meta-query.  It has already decided which
profile it is using, and the opportunistic meta-query merely to find
the IP address of its desired privacy-enabled DNS resolver.


So i guess i'm still DISCUSSing ekr's DISCUSS, which is an unfortunate
state for the draft to be in. :(


I welcome clarification if i've misunderstood the problem we're trying
to address here, or if i've somehow let myself lapse into some sort of
"privacy nihilism".

         --dkg

_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>
https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email